There’s a reason why they are called “data protection” as opposed to “privacy” laws. In Canada, the privacy rights you have come from the Charter of Rights – our data protection laws provide rules principally as to the collection, use and disclosure of personal information with more than a passing nod to other topics such as retention, access and security. Data protection legislation in Canada is about a balancing of interests and to understand that balance requires a good feel as to the exceptions to the rules. Anti money-laundering law (“AML”) provides a good illustration. Read more »
When you consider the vast pool of personal health information that exists in electronic health record databases as well as the growing number of registries (both public and private) a large number of unanswered questions exist as to just what people, as patients and stakeholders, should accept as the “rules” surrounding such data. Read more »
I was pleasantly surprised to receive my copy of Information Security and Privacy: A Practical Guide for Global Executives, Lawyers and Technologists — I contributed the section on Canada. It is a new book from the Science and Technology Law Section of the American Bar Association. Thomas Shaw did a very good job piecing together a large number of contributions — in a very short time — into a cohesive whole. In browsing the book, I’m impressed with the large volume of information succinctly presented. If you want a good overview of the topic with principally an American focus, then this book is worth a look.
The subject of medical research and personal information protection can quickly become a quagmire. Even raising the subject risks one being tagged as a Grinch-like character who surely must drown kittens and tell those young cancer-stricken children appearing in telethons that there’s no Santa Claus. The win-win scenario is de-identified information with good security around the linking data that connects the raw health information with individual identities. But can researchers really be trusted to protect personal health information? Read more »
In Ottawa, there’s talk of an election. From a privacy perspective, this raises questions not only about the fate of Bill C-29 (PIPEDA amendments) but also the anticipated-later-this-year second review of PIPEDA. Even if there isn’t an election, no one knows for sure about the timing of the enactment of C-29 in relation to the review. It’s even possible that the enactment of C-29 might wait to see what further changes could be incorporated as a result of the review. But what should the second review address? Read more »
It’s tough to be a hospital these days and I don’t envy the people trying to manage such places. But one thing I do expect is some degree of attention to the confidentiality of patient information. One hospital provides a unique set of facts that raises the question of appropriate regulatory responses. Read more »
“You don’t hear it, and unless you know what you’re looking for, you can’t see it.”
Bill C. Nabors Jr., Texas Department of Public Safety
That quote appears in a recent Washington Post story about the use of pilotless drones for domestic surveillance purposes, raising questions as to the use of a new and cheap surveillance tool. The quote could equally apply to any type of surveillance. We don’t like being watched yet we have somehow come to tolerate it. Read more »
If you’re someone caught up in a data breach or a person who can point to an actual violation of privacy, an obvious question is whether you suffered harm and should you be compensated? Three PIPEDA-related decisions from Canadian courts in 2010 offer a glimpse of different approaches to the subject of privacy-related damages. Read more »
“If you build it, he will come”
Shoeless Joe Jackson – Field of Dreams (1989)
In the healthcare IT space, this famous movie line could easily be changed to “If you build a database, they will find secondary uses for it.” Read more »
As noted in the previous post, we now have a new American law – the Foreign Accounts Tax Compliance Act (“FATCA”) — that essentially requires organizations in Canada to identify clients who are American; obtain their consent to the disclosure of sensitive personal information to the IRS or withhold the provision of a service for a failure to provide that consent. How does that mesh with the obligations of those organizations under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”)? Read more »
